Although I've not checked that I think it does not work as you described. Snipped from doc: When a flow matches a permit ACL entry, the associated action is taken and the flow is not checked against the remaining sequences. When a flow matches a deny ACL entry, it will be checked against the next ACL in the same sequence or the next sequence. If a flow does not match any ACL entry and at least one ACL is configured for that packet type, the packet is denied.
Regards, Piotr 2011/9/8 Kingsley Charles <[email protected]> > It should be AND operation between entries that are in two different lines > and OR operatio, if the entries are on the same line. > > Thus in your example, the access-list IP and ARP_Packet should be ANDed. > > With regards > Kings > > > On Thu, Sep 8, 2011 at 4:34 PM, Andrey <[email protected]> wrote: > >> Yes, sure and I thought I answered you there: >> "forbid arp resolution for block adresses..." >> and in my example needed to add this: >> >> ip access-list ext IP >> permit ip 192.168.10.0 0.0.0.255 any >> ! >> match ip address IP >> >> and we get this: >> >> LABSW1#sh vlan access-map block_arp >> Vlan access-map "block_arp" 10 >> Match clauses: >> ip address: IP >> mac address: ARP_Packet >> Action: >> drop >> Vlan access-map "block_arp" 20 >> Match clauses: >> Action: >> forward >> >> LABSW1#sh access-l >> Extended IP access list IP >> 10 permit ip 192.168.10.0 0.0.0.255 any >> Extended MAC access list ARP_Packet >> permit any any 0x806 0x0 >> >> BUT I guess that my answer is almost useless because, logic inside entry >> "vlan access-map "block_arp" 10" will be OR and not AND. >> Thus there is one answer - Cisco gave us this option for certain >> facilities that we would not have to add extra lines config >> "vlan access-map <MAP> <NUMBER>" and "action drop" if we have to match by >> ethertype and address+port at the same time. >> Sorry, I see no other explanation. >> >> >> On Thu, Sep 8, 2011 at 3:40 PM, Kingsley Charles < >> [email protected]> wrote: >> >>> Actually I wanted to know the use case of having mac and ip acl as >>> matching criteria in the same VACL entry. >>> >>> >> -- >> Best regards, >> Andrey >> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
